I got the following in /var/log/messages: Aug 14 10:11:22 D610 kernel: dracut: Loading SELinux policy Aug 14 10:11:22 D610 kernel: SELinux: Disabled at runtime. Aug 14 10:11:22 D610 kernel: type=1404 audit(1281773465.443:2): selinux=0 auid=4294967295 ses=4294967295 Aug 14 10:11:22 D610 kernel: dracut: /sbin/load_policy: Can't load policy: No such file or directory Aug 14 10:11:22 D610 kernel: dracut: Switching root But a message telling me that there is a file that isn't there without telling me which file it is - that does not help me investigation/debugging what is going on. Could you please report the missing filename? dracut-005-3.fc13.noarch
This message comes from /sbin/load_policy of the package policycoreutils
This is a kernel issue. *** This bug has been marked as a duplicate of bug 624043 ***
/me thinks there was a cut'n'paste error here and will reopen for confirmation from dwalsh. Bug 624043 is RHEL6 and not kernel-related but cronie leaking a FD, so I doubt that is the right bug?
(In reply to comment #2) > This is a kernel issue. > > *** This bug has been marked as a duplicate of bug 624043 *** How is it a kernel issue that /usr/sbin/load_policy doesn't print the name of the file it's failing to load?
The reason it fails to load the policy is a kernel issue. The other problem is load_policy is calling a lower level libselinux api that attempts to load various policy files, that may or may not exist. When the functions errors out, it returns an errno. In this case the kernel is returning ENOENT. Which perror translates as "No such file and directory". Most likely it tried to load /etc/selinux/targeted/policy/policy.24 Which most likely existed. :^(
I think the essence of the problem I was trying to debug was that selinux for unknown reasons "suddenly" was disabled by configuration. I'm very sure that the policy was installed. From a luser perspective it seems like the libselinux api should syslog what file was missing and perhaps return another error code. Perhaps it fails because selinux wasn't enabled - then it should say that instead. Perhaps load_policy shouldn't try to load anything if selinux isn't enabled.
If SELinux is disabled the code will not run. I agree that the error message should be clearer.
I guess the kernel should return some other error code when selinux is completely disabled? "No such file" is almost certainly the wrong thing to return. OTOH load_policy could check if selinux is disabled and not even try to load the policy in the first place...
I have SELINUX disabled and I get the message: dracut: /sbin/load_policy: Can't load policy file /etc/selinux/targeted/policy/policy.15: No such file or directory The only file in the directory /etc/selinux/targeted/policy is policy.24 I agree with the comment that the load_policy should even be run if SELINUX is disabled. In file /usr/share/dracut/modules.d/99base/selinux-loadpolicy.sh from dracut-005-3.fc13.noarch I suggest 1) delete line 10 2) changing line 14 to "return 0" 3) deleting line 39-42
Well that would be wrong, since the main purpose on a disabled system is to tell the kernel to remove SELinux through the execution of load_policy. Do you have /etc/selinux/config? If yes what is its contents?
But why is the job of dracut to effect the removal of a SELINUX policy? But anyway, the contents of my config file with comments deleted: SELINUX=disabled SELINUXTYPE=targeted
You can add the kernel boot line selinux=0 to /etc/grub.conf which will tell the kernel to boot with SELinux disabled. Or the kernel will come up with SELinux enabled and then when dracut runs load_policy, it will read /etc/selinux/config and see that selinux is disabled, and then tell the kernel to disable it.
But is it the job of dracut to disable SELINUX? Surely this should be done by something more appropriate than dracut.
This is the job of the initrd. dracut creates the initrd. Dracut is the appropriate component.
"This is the job of the initrd" - OK, I was not aware of this.
you might try dracut-005-5.fc13 https://admin.fedoraproject.org/updates/dracut-005-5.fc13
This applies to Fedora 14 as well dracut-006-3.fc14.noarch [ 1.335810] dracut: Loading SELinux policy [ 1.471838] SELinux: Disabled at runtime. [ 1.471880] SELinux: Unregistering netfilter hooks [ 1.471896] type=1404 audit(1290356120.285:2): selinux=0 auid=4294967295 ses=4294967295 [ 1.496130] dracut: /sbin/load_policy: Can't load policy file /etc/selinux/targeted/policy/policy.15: No such file or directory
(In reply to comment #17) > This applies to Fedora 14 as well > > dracut-006-3.fc14.noarch > > > [ 1.335810] dracut: Loading SELinux policy > [ 1.471838] SELinux: Disabled at runtime. > [ 1.471880] SELinux: Unregistering netfilter hooks > [ 1.471896] type=1404 audit(1290356120.285:2): selinux=0 auid=4294967295 > ses=4294967295 > [ 1.496130] dracut: /sbin/load_policy: Can't load policy file > /etc/selinux/targeted/policy/policy.15: No such file or directory huh? odd... $ head -7 /usr/share/dracut/modules.d/98selinux/selinux-loadpolicy.sh #!/bin/sh # FIXME: load selinux policy. this should really be done after we switchroot rd_load_policy() { # If SELinux is disabled exit now getarg "selinux=0" > /dev/null && return 0 dracut-006-3.fc14 would not do that! Can you double check, that your initramfs, which you are booting is built with dracut-006?? $ lsinitrd /boot/initramfs-$(uname -r).img|head -4
# lsinitrd /boot/initramfs-2.6.35.6-48.fc14.i686.PAE.img |head -4/boot/initramfs-2.6.35.6-48.fc14.i686.PAE.img: ======================================================================== dracut-006-3.fc14 ========================================================================
(In reply to comment #19) > # lsinitrd /boot/initramfs-2.6.35.6-48.fc14.i686.PAE.img |head > -4/boot/initramfs-2.6.35.6-48.fc14.i686.PAE.img: > ======================================================================== > dracut-006-3.fc14 > ======================================================================== can you attach your /usr/share/dracut/modules.d/98selinux/selinux-loadpolicy.sh and can you do: # fgrep -r load_policy /usr/share/dracut/modules.d/
# fgrep -r load_policy /usr/share/dracut/modules.d/ /usr/share/dracut/modules.d/98selinux/check: [ -x "/usr/sbin/load_policy" -o -x "/sbin/load_policy" ] || exit 1 /usr/share/dracut/modules.d/98selinux/selinux-loadpolicy.sh:rd_load_policy() /usr/share/dracut/modules.d/98selinux/selinux-loadpolicy.sh: if [ -x "$NEWROOT/usr/sbin/load_policy" -o -x "$NEWROOT/sbin/load_policy" ]; then /usr/share/dracut/modules.d/98selinux/selinux-loadpolicy.sh: # load_policy does mount /proc and /selinux in /usr/share/dracut/modules.d/98selinux/selinux-loadpolicy.sh: # libselinux,selinux_init_load_policy() /usr/share/dracut/modules.d/98selinux/selinux-loadpolicy.sh: if [ -x "$NEWROOT/sbin/load_policy" ]; then /usr/share/dracut/modules.d/98selinux/selinux-loadpolicy.sh: chroot "$NEWROOT" /sbin/load_policy -i /usr/share/dracut/modules.d/98selinux/selinux-loadpolicy.sh: chroot "$NEWROOT" /usr/sbin/load_policy -i /usr/share/dracut/modules.d/98selinux/selinux-loadpolicy.sh: warn "Machine in enforcing mode and cannot execute load_policy." /usr/share/dracut/modules.d/98selinux/selinux-loadpolicy.sh:rd_load_policy
Created attachment 462031 [details] selinux-loadpolicy.sh selinux-loadpolicy.sh from dracut-006-3.fc14.noarch
Created attachment 462033 [details] selinux-loadpolicy.sh patch I think the check if SELinux was disabled via configuration file needs to be moved.
(In reply to comment #17) > This applies to Fedora 14 as well > > dracut-006-3.fc14.noarch > > > [ 1.335810] dracut: Loading SELinux policy > [ 1.471838] SELinux: Disabled at runtime. > [ 1.471880] SELinux: Unregistering netfilter hooks > [ 1.471896] type=1404 audit(1290356120.285:2): selinux=0 auid=4294967295 > ses=4294967295 > [ 1.496130] dracut: /sbin/load_policy: Can't load policy file > /etc/selinux/targeted/policy/policy.15: No such file or directory I can't believe this dmesg is from the initramfs, if you started with "selinux=0" in the kernel command line.
I never said I did, but it can be disabled in config file too, right? anaconda doesn't populate grub.conf, only /etc/selinux/config
(In reply to comment #25) > I never said I did, but it can be disabled in config file too, right? > anaconda doesn't populate grub.conf, only /etc/selinux/config anaconda populates grub.conf, too
(In reply to comment #23) > Created attachment 462033 [details] > selinux-loadpolicy.sh patch > > I think the check if SELinux was disabled via configuration file needs to be > moved. Daniel Walsh, wanted that check after load_policy.
(In reply to comment #26) > anaconda populates grub.conf, too of cause, but not in response to selinux --disabled kickstart command. (In reply to comment #27) I wouldn't dare doubt Mr. Walsh, but this is odd and certainly the root cause of the error.
If SELinux is disabled via the config file, the load_policy command actually tells the kernel about this, and allows the kernel to disable the SELinux kernel hooks from the system. Removes selinuxfs from /proc/filesystems for example. If load_policy is never executed the kernel never gets told to remove the SELinux subsystem.
Dan, the dmesg seems to indicate the load_policy ran and that it disabled the selinux kernel hooks, but then still complained about not being able to find /etc/selinux/targeted/policy/policy.15. I find the fact that it is policy.15 kinda odd. Is load_policy looking for policy.X even when disabled? And then complaining?
Well no but it is assuming it did. Ok, there seems to be a bug in load_policy. ret = selinux_init_load_policy(&enforce); ... if (ret < 0) { char *path=policy_path(); fprintf(stderr, _("%s: Can't load policy file %s: %s\n"), argv[0], path, strerror(errno)); free(path); exit(2); } Which is what we are seeing. If I look at the function, I see this comment. /* * Only return 0 on a successful completion of policy load. * In any other case, we want to return an error so that init * knows not to proceed with the re-exec for the domain transition. * Depending on the *enforce setting, init will halt (> 0) or proceed * normally (otherwise). */ return -1; This means if you call selinux_init_load_policy with SELinux disabled, then it will return -1 even if it is successful. Which causes this bug.
I think just changing to /* selinux_init_load_policy returns -1 if it did not load_policy * On SELinux disabled system it will always return -1 * So check errno to see if anything went wrong */ if (ret < 0 && errno != 0) { char *path=policy_path(); fprintf(stderr, _("%s: Can't load policy file %s: %s\n"), argv[0], path, strerror(errno)); free(path); exit(2); }
I have added this fix to policycoreutils-2.0.83-36.fc15, if it works there I will back port to F13.
I would be happy to test, but I have only F14
Fixed in policycoreutils-2.0.83-33.2.fc14
policycoreutils-2.0.83-33.2.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/policycoreutils-2.0.83-33.2.fc14
Do I need to regenerate initramsfs? # rpm -qf /sbin/load_policy policycoreutils-2.0.83-33.2.fc14.i686 [ 1.337049] dracut: Loading SELinux policy [ 1.500748] SELinux: Disabled at runtime. [ 1.500790] SELinux: Unregistering netfilter hooks [ 1.500806] type=1404 audit(1290533429.238:2): selinux=0 auid=4294967295 ses=4294967295 [ 1.525657] dracut: /sbin/load_policy: Can't load policy file /etc/selinux/targeted/policy/policy.15: No such file or directory [ 1.581629] dracut: Switching root
policycoreutils-2.0.83-33.2.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update policycoreutils'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/policycoreutils-2.0.83-33.2.fc14
policycoreutils-2.0.83-33.2.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.